Data Protection:
An enabler?
David Freeland, Senior Policy Officer
23 October 2014
An international act…
“We've got a piece of legislation called the Data
Protection Act. It's UK legislation but I feel certain
that you must have something similar in Scotland.”
A high street financial institution
A balancing act…
“Whereas data-processing systems are designed to
serve man; whereas they must, whatever the
nationality or residence of natural persons, respect
their fundamental rights and freedoms, notably the
right to privacy, and contribute to economic and
social progress, trade expansion and the well-being
of individuals”
Recital 2, European Directive 95/46/EC on the protection of individuals with regard
to the processing of personal data and on the free movement of such data
What is personal data?
Personal data relate to a living individual who can
be identified from those data and/or other
information and includes opinions and intentions of
the data controller or any other person in respect of
the individual.
What is sensitive personal data?
Sensitive personal data relate to racial or ethnic
origin, political opinions, religious beliefs, trade
union membership, health, sexual life and criminal
activity.
What records are covered?
Electronic




Data
Texts
Images
Recordings
Manual records
 Intention of being automated
 Structured filing system
 Unstructured records – public bodies
The 8 Data Protection Principles
Personal information must be…
1. Processed fairly and lawfully
2. Obtained only for one or more
specified lawful purposes
3. Adequate, relevant and not
excessive
4. Accurate and, where
necessary, kept up to date
5. Kept for no longer than is
necessary
6. Processed in accordance with
individuals’ rights
7. Subject to appropriate technical
and organisational measures to
prevent the unauthorised or
unlawful processing, or the
accidental loss, destruction, or
damage to, personal data
8. Only transferred to a country or
territory outside the EEA where
adequate levels of protection
for the rights and freedoms of
individuals in relation to the
processing of personal data can
be ensured
Lawful – conditions for processing
Personal data
Sensitive data
Consent
Contract
Legal obligation
Vital interests
Administration of justice
Public function in the public
interest
Legitimate interests of the
data controller and third
party but not prejudicial to
individual
Explicit consent
Employment law
Vital interests
Not-for-profit TU/religious/
political/philosophical groups
Put in public domain by the
individual
Legal proceedings/advice
Functions under enactment
Anti-fraud activity
Medical purposes
Equal opps monitoring
Substantial public interest
(SI 2000/417)
Lawful – conditions for processing
Personal data
Sensitive data
Consent
Contract
Legal obligation
Vital interests
Administration of justice
Public function in the public
interest
Legitimate interests of the
data controller and third
party but not prejudicial to
individual
Explicit consent
Employment law
Vital interests
Not-for-profit TU/religious/
political/philosophical groups
Put in public domain by the
individual
Legal proceedings/advice
Functions under enactment
Anti-fraud activity
Medical purposes
Equal opps monitoring
Substantial public interest
(SI 2000/417)
Additional conditions (SI 2000/417)
 The processing is in the substantial public interest
 Must be carried out without explicit consent so as not to
prejudice the purpose or function
1. Necessary for the detection or prevention of any unlawful
act (or failure to act)
2. Necessary for a function designed to protect the public
against
a.
b.
dishonesty, malpractice, serious improper conduct, incompetence or
unfitness of any person, or
Mismanagement in the administration of, or failures in services
provided by, any body or association
Crime and investigations
Section 29: Crime and taxation exemption
 Purpose: detecting or preventing a crime
 Exempt from giving fair processing information and giving
information in response to a SAR to the extent to which
provision would be likely to prejudice the investigation
 You can share intelligence that may help detect or prevent a
crime on a need-to-know basis
Data Sharing Code of Practice
 ICO required by law to produce
 Approved by Secretary of State and UK Parliament
 Not following Code is not necessarily a DPA breach
 Provides ‘good practice’ advice
 Admissible in court proceedings
 Poses questions you need to answer
Putting it into practice
Clear policies, guidance and procedures
Staff training – initial and refresher
Clear lines of escalation and decision making
Audit trails, and audit the audit trails
Work with appropriate people in your organisation – data
protection specialists, lawyers, internal audit
 Take account of professional standards in handling personal
information
 Appropriate contacts in other organisations





Key points
 Data protection is a framework, not a barrier
 Lawful, proportionate and relevant information sharing only
 Right information to the right people at the right time
 Be prepared – know the legal basis, and have an audit trail
 How would you want your information to be treated?
 What harm is likely to result from not sharing?
Keep in touch
Scotland Office:
45 Melville Street
Edinburgh EH3 7HL
T: 0131 244 9001 E: scotland@ico.org.uk
Subscribe to our e-newsletter at www.ico.org.uk or find
us on…
/iconews
@iconews